MedusaLocker

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
MedusaLocker is a potent variant of ransomware, first observed in September 2019, that primarily targets Windows machines through spam. It was deemed "lesser known but potent" by the US Department of Health and Human Services in a February 2023 report. The malware notably leveraged the disorder and confusion during the COVID-19 pandemic to launch attacks, primarily targeting the healthcare sector. This ransomware spreads through a network via a batch file executing a PowerShell script. It disables security and forensic software, restarts the machine in safe mode to evade detection, and then employs AES-256 encryption to lock files. In late 2022, a new group named Medusa emerged, operating a Ransomware-as-a-Service (RaaS) platform. This should not be confused with the existing MedusaLocker ransomware. The Medusa group's RaaS platform often uses the double extortion method for monetary gain. According to reports, this strain of RaaS reflects global trends seen in Singapore’s threat landscape, alongside other common models like LockBit and DeadBolt. In a recent development, PCrisk discovered a new variant of MedusaLocker that appends the .crypto1317 extension and drops a ransom note named How_to_back_files.html. Like other ransomware, this variant of MedusaLocker also terminates specific services by referencing a hardcoded list of services. It is important to differentiate between Medusa, the RaaS platform first observed in 2021, and the similarly named MedusaLocker, which has been available since 2019.
What's your take? (Question 1 of 4)
9cbff8f2-4be4-4be9-b3ba-962eb67542eb Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Medusa
2
Medusa, a threat actor known for its ransomware activities, has been on the rise since late 2023, leveraging a zero-day exploit for the Citrix Bleed vulnerability (CVE-2023-4966) alongside other groups like LockBit and ALPHV (BlackCat). This vulnerability led to numerous compromises by these groups
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
RaaS
Ransomware
Encrypt
Encryption
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the MedusaLocker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Quick Heal Technologies Ltd.
8 months ago
MedusaLocker Ransomware: An In-Depth Technical Analysis and Prevention Strategies
CERT-EU
8 months ago
Philippines: Hackers demand $300k after health insurer's data compromised | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
8 months ago
Philippines state health org struggling to recover from ransomware attack
CERT-EU
7 months ago
Medusa Claims Canadian Psychological Association Cyberattack
CERT-EU
9 months ago
French town of Sartrouville recovering from cyberattack claimed by ransomware gang | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
Hackers attack PhilHealth’s website, systems | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
7 months ago
The Week in Ransomware - October 20th 2023 - Fighting Back
CERT-EU
8 months ago
PhilHealth hit by ransomware – report | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
a year ago
The Week in Ransomware - March 10th 2023 - Police Take Action
CERT-EU
6 months ago
The Week in Ransomware - December 1st 2023 - Police hits affiliates
CERT-EU
9 months ago
French town of Sartrouville recovering from cyberattack claimed by ransomware gang
Unit42
5 months ago
Medusa Ransomware Turning Your Files into Stone
CERT-EU
6 months ago
The Week in Ransomware - November 17th 2023 - Citrix in the Crosshairs
CERT-EU
8 months ago
MEDUSA Cyber Attacks: Two New Victims Added To The List!
CERT-EU
a year ago
Ransomware and phishing attacks continue to plague businesses in Southeast Asia | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
5 months ago
Ransomware victims are being offered payment extension plans as groups ratchet up pressure | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
6 months ago
What doToyota's data breaches teach us about cybersecurity? | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
5 months ago
86% of cyberattacks are delivered over encrypted channels - Help Net Security
CERT-EU
a year ago
Nine looks for new cyber security director